Bug #53237 mysql_list_fields/COM_FIELD_LIST stack smashing - remote execution possible
Submitted: 28 Apr 2010 8:21 Modified: 14 Oct 2010 14:51
Reporter: Andrey Hristov Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:4.1, 5.0, 5.1, 5.6.99, probably 3.23, 4.0 OS:Any
Assigned to: Ramil Kalimullin CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[28 Apr 2010 8:21] Andrey Hristov
Description:
COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not checked for sanity. By sending long data for the table a buffer is overflown, which can be used deliberately to include code that harms. That code can return to another place in memory and take over server. Because the data files are accessible to the user under which MySQL works, this means that all data under management could be at risk.

The bug cannot be exploited by directly using mysql_list_tables of libmysql, because it includes a protection:
  DBUG_ENTER("mysql_list_fields");
  DBUG_PRINT("enter",("table: '%s'  wild: '%s'",table,wild ? wild : ""));

  end=strmake(strmake(buff, table,128)+1,wild ? wild : "",128);

However, any other client code might not obey to this, like mysqlnd does not, and send arbitrary length data to the server.

How to repeat:
You need PHP 5.3.0 or greater with mysqlnd support (--with-mysql=mysqlnd on Linux, or just plain PHP binaries for Windows - mysqlnd is default on Windows).
<?php
if (!$link = mysql_connect("127.0.0.1", "root", "root", "test")) {
	printf("Cannot connect to the server");
	exit(1);
}
if ($res = mysql_list_fields("test", str_repeat('test', 16384), $link)) {
	printf("[001] got result set, where non was expected");
}
mysql_close($link);
print "done!";
?>

The result is:
100428 10:17:22 [ERROR] ./mysqld: Can't find file: './test/testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestt' (errno: 36)
*** stack smashing detected ***: ./mysqld terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb75126d8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7512690]
./mysqld(_Z10open_tableP3THDP10TABLE_LISTP11st_mem_rootPbj+0x25b)[0x82b69db]
[0x74747365]
======= Memory map: ========
08048000-08820000 r-xp 00000000 08:06 9372050    /work/mysql-server/mysql-5.1/sql/mysqld
.....
thd: 0xa37c9e0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xb289e3a8 thread_stack 0x40000
./mysqld(my_print_stacktrace+0x22) [0x85fe872]
./mysqld(handle_segfault+0x3d9) [0x8264819]
[0xb7752400]
/lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb7445268]
/lib/tls/i686/cmov/libc.so.6 [0xb748116d]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48) [0xb75126d8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0) [0xb7512690]
./mysqld(open_table(THD*, TABLE_LIST*, st_mem_root*, bool*, unsigned int)+0x25b) [0x82b69db]
[0x74747365]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0xa3c9278 =
thd->thread_id=2
thd->killed=NOT_KILLED

Suggested fix:
Don't blindfully copy the data coming from the client onto fixed buffers.
[28 Apr 2010 9:37] Sveta Smirnova
Thank you for the report.

Verified as described. I uses shorter string: str_repeat('test', 1638)
[1 May 2010 13:47] Bugs System
Pushed into 5.0.91 (revid:joro@sun.com-20100501134604-ra243s5b389j6ttn) (version source revid:ramil@mysql.com-20100429044232-f0pkyx8fnpszf142) (merge vers: 5.0.91) (pib:16)
[5 May 2010 15:08] Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:ramil@mysql.com-20100429045409-r7r5lcyiruis15v7) (merge vers: 5.1.47) (pib:16)
[7 May 2010 8:16] Lenz Grimmer
This is now tracked as CVE-2010-1850 on http://cve.mitre.org/
[11 May 2010 16:22] Paul Dubois
Noted in 5.0.91, 5.1.47 changelogs.

COM_FIELD_LIST could be abused to cause a server stack overflow,
resulting in a crash or code exploit.
[11 May 2010 16:44] Paul Dubois
Revised changelog entry:

The server was susceptible to a buffer-overflow attack due to a
failure to perform bounds checking on the table name argument of a
COM_FIELD_LIST command packet. By sending long data for the table
name, a buffer is overflown, which could be exploited by an
authenticated user to inject malicious code.
[28 May 2010 6:01] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (pib:16)
[28 May 2010 6:29] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[28 May 2010 6:57] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100429203306-tg0wz4y2xyx8edrl) (merge vers: 5.5.5-m3) (pib:16)
[29 May 2010 2:34] Paul Dubois
Noted in 5.5.5, 6.0.14 changelogs.
[17 Jun 2010 12:04] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 12:47] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[17 Jun 2010 13:31] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:vasil.dimov@oracle.com-20100331130613-8ja7n0vh36a80457) (merge vers: 5.1.46) (pib:16)
[6 Jul 2010 19:04] Paul Dubois
Noted in 5.1.46sp1 changelog.
[8 Jul 2010 18:53] Bugs System
Pushed into 5.1.49 (revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (version source revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (merge vers: 5.1.49) (pib:16)
[4 Aug 2010 7:53] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)
[4 Aug 2010 8:05] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:21] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:02] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[4 Aug 2010 22:52] Paul Dubois
Already fixed in 5.1.x, 5.5.x.
Bug does not appear in any released 5.6.x version.
[14 Oct 2010 8:29] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:45] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 8:59] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 14:51] Jon Stephens
Already documented as noted above; no new changelog entries required. setting back to Closed state.